Using Smart Card Certificate Revocation Checking

<

You can prevent users who have revoked user certificates from authenticating with smart cards by configuring certificate revocation checking. Certificates are often revoked when a user leaves an organization, loses a smart card, or moves from one department to another.

View supports certificate revocation checking with certificate revocation lists (CRLs) and with the Online Certificate Status Protocol (OCSP). A CRL is a list of revoked certificates published by the CA that issued the certificates. OCSP is a certificate validation protocol that is used to get the revocation status of an X.509 certificate.

You can configure certificate revocation checking on a View Connection Server instance or on a security server. When a View Connection Server instance is paired with a security server, you configure certificate revocation checking on the security server. The CA must be accessible from the View Connection Server or security server host.

You can configure both CRL and OCSP on the same View Connection Server instance or security server. When you configure both types of certificate revocation checking, View attempts to use OCSP first and falls back to CRL if OCSP fails. View does not fall back to OCSP if CRL fails.

When you configure OCSP certificate revocation checking, View sends a request to an OCSP Responder to determine the revocation status of a specific user certificate. View uses an OCSP signing certificate to verify that the responses it receives from the OCSP Responder are genuine.